Today, we are announcing a new Network Session Essentials solutions in Public Preview. This is a domain solution and the first Microsoft Sentinel solution to leverage Advanced Security Information Model (ASIM). Hence this solution provides a set of generic OOTB (out-of-the-box) content, specific to network security scenarios that supports over 15 network products and services including Azure Firewall, Palo Alto Firewall, Corelight, Cisco Meraki, Fortinet Fortigate and more. This means the same content from this solution can work with multiple network products deployed in your organization hence delivering more value to protect your network with less. Learn more about domain solutions that leverages ASIM.
Microsoft Sentinel has 280+ solutions in Content hub. These enable customers to not only connect their data sources to ingest data in Microsoft Sentinel, but also provide out-of-the-box (OOTB) analytic rules, hunting queries, workbooks, playbooks, and more to help customers realize their E2E scenarios in Sentinel. Even though this approach enables customers to integrate different products in Microsoft Sentinel, there are certain challenges customers face. For example, there are multiple product solutions for the Security-Network domain category, like Azure Firewall, Palo Alto Firewall, Corelight, etc. These have differing data ingest components by design, but there’s a certain pattern to the analytics, hunting, workbooks, etc. within the same category. To take a specific example, most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. Currently, this analytic rule template is pretty much duplicated for each of the Security-Network category of product solutions. Customers need to check and then configure multiple analytic rules individually if they are running multiple network products, which is inefficient. Furthermore, this results in alert fatigue when alerts do fire. With the OOTB content built using ASIM, the same alert rule can work across multiple networking solutions deployed in your organization.
Key Capabilities: -
Prerequisite: -
Network session essentials solution like other Microsoft Sentinel domain solutions don't include a data connector. It depends on the source specific connectors in respective Microsoft Sentinel product solutions to pull in the logs. Install one or more of the prerequisite product solutions listed below. Configure the respective data connectors to meet the underlying product dependency needs and to enable better usage of this solution content.
Note: As the parser coverage for this solution increases, this list will also increase.
Out of box content offered: -
This solution comes with seven analytic rules, four hunting queries, one playbook, one workbook, and one watchlist.
Analytics rules:
Hunting queries:
Summarization playbook:
The Network session essential domain solution is expected to handle data of very high events per seconds (EPS), and when we have content that is using such high EPS of data there can be some performance impact that can cause slow loading of workbooks or query results. To overcome this, we have created this summarization playbook that will summarize the source logs and store it into a predefined table all the content of essential domain solutions does not query this table unless one has enabled the summarization playbook.
Note: Additional charges might apply for Azure Logic apps. For more information, see the Azure Logic Apps pricing page. Additional charges might also apply for storage of the summarized data.
Workbook:
This solution provides one workbook Network session solution workbook which covers details for the following listed events.
Watchlist: -
The solution supports one watchlist ‘NetworkSession_Monitor_Configuration’ which includes more than 70 different sets of conditions that contribute towards analytic rule detection and hunting query. Following are the advantages that this watchlist would provide:
Getting started: -
This solution is available on content hub like any other solution. Search the solution and click on install, make sure any of the below listed prerequisite source specific solution(s) are already installed and the respective data connector(s) configured, before installing this solution.
All the content like analytical rule template, hunting query, playbook, workbook can be managed from content hub manage view and will also be available in respective content galleries. Let us know your feedback using any of the channels listed in the questions or feedback section.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.